[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Openshift and php mail not sending - SELinux issue - SOLVED



Hi all,

I want to share my solution to a problem which I've had on two openshift installations. When i try to send an email from a php script, the server errors in "/var/log/maillog" and the email doesn't go. 

SELinux is the cause. I can disable SELinux (as a test) and it works. Every article on this topic says "enable httpd_can_sendmail" but that is already set:

[root My-OpenShift includes]# tail -f /var/log/maillog 
May 31 12:21:13 My-OpenShift postfix/sendmail[6746]: fatal: chdir /var/spool/postfix: Permission denied
^C
[root My-OpenShift includes]# getsebool -a | grep sendmail
httpd_can_sendmail --> on

The "/var/log/audit/audit.log" logs show the following:

type=AVC msg=audit(1433041351.449:255991): avc:  denied  { search } for  pid=12038 comm="sendmail" name="postfix" dev=dm-0 ino=655594 scontext=unconfined_u:system_r:openshift_t:s0:c6,c293 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1433041351.449:255991): arch=c000003e syscall=80 success=no exit=-13 a0=7fadade5a8d0 a1=7fadade5c5a0 a2=2000 a3=7fff6274d050 items=0 ppid=26592 pid=12038 auid=6410 uid=6410 gid=6410 euid=6410 suid=6410 fsuid=6410 egid=6410 sgid=6410 fsgid=6410 tty=(none) ses=40573 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=unconfined_u:system_r:openshift_t:s0:c6,c293 key=(null) 

I extracted the above out of "/var/log/audit/audit.log" and placed it in "/tmp/audit.log" as the above log grows fast. If you don't get it, run the command "semodule -DB" to enable logging. Disable it later with "semodule -B". 
So i ran "sealert -a /tmp/audit.log" which asked me to run a few commands (below) which i did. And the error in "/var/log/maillog" was no longer appearing. it was fixed.

[root My-OpenShift includes]# grep sendmail /tmp/audit.log | audit2allow -M mypol
[root My-OpenShift includes]# semodule -i mypol.pp

Why this happens is beyond me. The above solution worked on one of my installations but not the other. I'll investigate why later. 

Ta,

 

-Andrew Galdes
Managing Director

RHCE, LPI, CCENT

AGIX Linux

Ph: 08 7324 4429
Mb: 0422 927 598

Find us: Website | LinkedIn | Blog | YouTubeGoogle+

Platform Architects for High Demand Web Applications.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]